Cybersecurity is Everyone’s Business It’s really easy to sweep cybersecurity under a rug. The BAS industry has not had to address this issue in the past as most of the systems we have installed have been disconnected from the rest of the world. With the move to IP, this is no longer the case.

Anto Budiardjo, Editor,  New Deal for Buildings

It is easy to think of cybersecurity as just another challenge for the tech people since that is typically how we think of other challenges that technology solves; think computing power, digital audio, smartphones, etc.

The above sentiment is especially true in the BAS industry, the focus of this scribe. The “everyone’s business” mantra applies all the way from sales to maintenance, product development to distribution, and from the boardroom to the boiler room. Cybersecurity is everyone’s business.

Why is this the case? Why is cybersecurity any different than other technologies that the BAS industry has adopted in the past? I am arguing here that over the next few decades, addressing cybersecurity will be a key subject in the evolution of the digital world. In our personal lives, we will make decisions based on it, but those decisions are relatively simple; it comes down to which smartphone you buy or where you do online shopping. The heavy lifting will mostly be done by large tech vendors behind the scenes. As with all things consumer, it will come down to brand reputation. We are seeing this play out with the large tech companies’ positioning around security.

BAS is a B2B space, and building systems are never a “standard product” per se. This is because each building is different; they are engineered systems in the truest sense of the term. Thus, each building is financed, specified (even if using a template), designed, planned, built (using standard components), commissioned, maintained, and operated according to its own specific needs.

The one thing we know about cybersecurity is that what the bad actors look for is a weakness in the system. As the defender of BAS, we as an industry must be 100% secure 100% of the time, whereas a potential intruder only needs to be successful once. And, they get to try as many times as their economic motivation justifies. The odds are on their side.

This is where the concept of holistic cybersecurity makes complete sense and should be the battle cry of all players in the BAS industry.

As a sales executive, it’s imperative that your prospects understand the need to include cybersecurity tools and services as part of what you propose to them.

As a board director of a BAS company, it is imperative to know the cybersecurity profile of the company you oversee and to allocate adequate resources for the company to address security fully.

As a maintenance engineer, it is critical that you abide by the cybersecurity policies and procedures in place at any facility you maintain, and you must demand them if they are not forthcoming.

As a product developer, you must ensure that any product you work on addresses all of the requirements and best practices necessary such that the products are secure.

As a mechanical engineer, it is important to use the right tools and procedures to do your work and be extra careful in potentially vulnerable areas such as user credentials.

Basically, as a [add your role here], you must consider how your actions could expose the building in which you are working and do everything necessary to prevent a vulnerability from being exposed by malicious actors.

Yes, I know, we all have a whole bunch of other, more pressing priorities to deal with; project completion, budget numbers, profits, getting home to your family, and so on. How do you add yet another issue in today’s crazy and hectic work environment?

[an error occurred while processing this directive]I have a few suggestions that should make this easier.

1. Add “Cybersecurity” to all project meeting agendas. And, don’t just add it as the last item that can be skipped as the meeting concludes, add it as the first item! The point isn’t to spend much time on it; it’s to remind everyone to think about cybersecurity.
   
2. Don’t do business with anyone that does not take cybersecurity seriously. Would you buy a car without breaks or seat belts? Ask your vendors and clients about their cybersecurity policies and expectations. If they don’t have one, you are possibly exposed.
   
3. Expose risks when they are obvious. Many times, we see flagrant breaches of the most fundamental cybersecurity hygiene principles; visiting a client that has passwords on a post-it note, a co-worker setting a new password as “password”. How you expose these risks depends on you. Be sensitive and kind, but not doing so makes you culpable.
   
4. Use basic security tools always. Responsible systems will enable the use of Multi/Two Factor Authentication to make sure your credentials are not abused, and technologies such as VPN/VLANs are widely available. Use them in the normal course of business.
   
5. Don’t plug in the USB memory stick you found in the parking lot. Be very wary of introducing any unknown devices, software or other digital assets into any of your, or your client’s equipment. This is how Stuxnet was said to have been deployed.
   

It’s really easy to sweep cybersecurity under a rug. The BAS industry has not had to address this issue in the past as most of the systems we have installed have been disconnected from the rest of the world. With the move to IP, this is no longer the case.

Stay safe and secure out there.